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It’s great to be back at Fordham and great to see all of you this morning. What I want to 
do this morning is just share with you briefly some thoughts about how the FBI sees the 
threat in all things cyber, how we slice up that threat, what we're trying to do about it, 
and how we need your help, especially those of you who are in the private sector. Then 
I'd like to take your questions. 

Let me start with the overview of the threat and I'll start with, who are the players? At the 
top of that stack we see increased effort at cyber intrusion by nation-states and near¬ 
nation-state actors. China, Russia, Iran, and North Korea are the most prominent 
players. We also see just in the three years I've been Director a growth in multinational 
cyber syndicates—criminal groups that are increasingly specialized as to role, and who 
are stealing information for sale to the highest bidder for criminal purposes. 

We see ransomware spreading like a virus. It is simply about a pure business 
proposition—how much people will pay to continue to do their business. Then 
hacktivism, which is the term we use for a motley collection of people of all different 
kinds of motivations, some political, some financial, some just pure harassment. And 
then of course terrorists, who have highly proficient at using cyber space to proselytize, 
to recruit, to direct, to inspire, who are quite literally buzzing in the pockets of troubled 
people all over the country and all over the world trying to move them toward violence, 



and who aspire to gain unauthorized access to our systems. They aren’t there yet. 
They're trying very hard to move in that direction. 

How do these threat actors operate increasingly in complex ways? We see the 
combining of multiple techniques and inside knowledge, especially based on some form 
of social engineering, using the so-called human vector to get at us, using social media 
to gather information about employees, and then increasingly taking advantage of 
insiders. People whom despite their best efforts at patching and defending and 
segmenting your network have access to the network because they have to have 
access. They work there. Disgruntled employees, people willing to sell access to the 
highest bidder or people with axe to grind. 

What they're after is obvious: information and access and advantage and money. 
Increasingly we are worried not just about the theft of data but the corruption of data, 
and the denial of access to our own data in cases like Sony. 

The impact is known to everybody in this room so I won't spend a lot of time on it. These 
are more than just attacks on our infrastructure. They are more than just attacks on your 
money. It’s about attacks on employees. It’s about attacks on reputation. It’s about 
attacks on our economy and security and even attacks on our fundamental freedoms 
like freedom of speech. The Sony attack was after all an attack on speech. This was not 
only a nation-state actor; this was a bully trying to stop someone from talking in a way 
that irritated the bully. 

This behavior needs to be called out, it needs to be sanctioned, it needs to whenever 
possible be prosecuted. What can we do? We know we can't prevent every attack, but 
we believe this behavior, all manner of cyber intrusion, is susceptible to deterrence 
because it’s not done high on crack, it’s not done inflamed by a motive to finding a 
cheating spouse. It’s done with thought and fingers on a keyboard. That offers an 
opportunity to change behavior, to shape behavior. 


To do that we think we have to get a whole lot more—we, the FBI—more predictive and 
less reactive. 



That’s also true with the rest of the government and the private sector. We think there 
are three pillars to doing this. First we have to see how to work to reduce our 
vulnerabilities. We in the FBI believe we can contribute there by helping people 
understand better the vectors of attack, what the thugs and criminals and hacktivists 
and nation-states are after and how they're coming for it, to enable our private sector 
partners and our government partners to harden their targets better. We also think by 
using our bully pulpit we can help all of you convince boards of directors and executives 
that cyber security has to be invested in at every level. It’s not just about your systems; 
it’s also about your people. 

Second, we think we can help reduce the threat. As I said, we can't eliminate it. We 
can't eliminate every vulnerability, but we can find those responsible and send strong 
messages of deterrence to change behavior. Deterrence includes, obviously, means 
locking people up. It also includes sanctioning people and shaming people to change 
behavior. Third, obviously the government has an important role to play in mitigating 
damage after an attack to help people. What just happened to their system so they can 
patch and repair and get on with life and business. 

The FBI, for our part, has a strategy that has five parts. It should be fairly obvious for 
those of you who know us. The first thing we're trying to do is focus. This means we 
have to focus ourselves in several different ways. We're trying to focus ourselves with 
an understanding that the normal model for deciding where to do our work is based on 
physical manifestations of harm. The bank robbery happened in Chicago, and so the 
Chicago office will work that. We're trying to focus our work with a recognition that 
physical manifestation is not all that meaningful a thing when it comes to cyber. 

Where did it happen? Is it where the headquarters is? Is it where the first manifestation 
in a subsidiary was? We've decided that it really doesn't matter where the physical 
manifestations of a hack are. We think it makes much more sense to assign the work 
based on power, based on who has the chops to work this particular threat and work it 
from there. Then allow other offices to help based on a nod towards physical place and 
physical manifestation. 



We're asking ourselves, who are the FBI’s best teams equipped to work this threat? Not 
accidentally, we're also hoping to set up a competition inside the FBI. Our offices will 
compete to be the dominant player against a particular threat. If Little Rock has the 
chops, it doesn't matter when the first manifestation of the hack is in a corporate 
headquarters of New York City. If Pittsburgh has the chops against this threat, it will be 
worked in Pittsburgh. 

The second way we're trying to focus is to recognize that we can't have enough talent in 
all places. We need to have a focus on teams of experts that we can surge. This was a 
technique we've used effectively for 25 years against terrorism with fly teams. Experts 
who are ready to go at a moment’s notice to work terrorism cases. We've built cyber 
action teams made up of all different kinds of experts who can move at a moment’s 
notice to fly to a particular incident. 

The third way we're trying to focus ourselves is getting the right people inside the FBI to 
help us do this work. It will not shock you to know that recruiting is a challenge for all of 
us when it comes to cyber talent and a lot of you have a whole lot more dough to throw 
at the problem than I do. We need this great talent in the FBI, not working for you. We 
need them inside the FBI, and I'm going to give you some of my secrets, but not a lot, 
because our interests are not aligned here. 

We can't compete on money. We have to compete on mission. We can't accomplish the 
mission if we don't have the talent inside the organization. The challenge we face was 
summed up by something one of my five kids said to me. One of my daughters said, 
"Dad, you're the man," and I said, "Thank you." She said, "Dad, I don't mean that in a 
nice way. The problem is you're ‘the man.’ No one wants to work for ‘the man.’" I think 
she’s right. 

Except if people see what “the man” and “the woman” are like in the FBI and the work 
we get to do, I think I can beat you no matter how much dough you throw at our folks. 
And we have to start by making sure great talent sees what this mission is all about. 


One thing that we're about to do is to hire a senior level data scientist, something we've 
never done in the FBI. We're going to hire somebody up at the assistant director level to 



work with the assistant director of cyber and other senior FBI leaders to do a few things 
for us. We want this person to help us understand, to provide technical and operational 
guidance to us to make sure we're doing what we need to do, and to make sure we 
have the best technology to attract those people to work for “the man,” and just as 
importantly to help us figure out who are the right people, and how do we fetch them to 
get them into our organization. 

We need somebody who understands every aspect of the world when it comes to 
cyber—both public and private—to help us find the future and drive decision-making 
both on a case basis and on a personnel policy basis. 

We're also hiring, as you may know lots, more agents and analysts to help us work 
cyber. Now the challenge for us when it comes to special agents is this: to hire a cyber 
special agent we need three buckets of attributes. We need integrity. That’s non- 
negotiable. You can't be smoking weed on the way to the interview. Second, we need 
physicality. To be an FBI agent, to have a firearm on behalf of the United States, you 
need to be able to run, fight, and shoot. We need physicality in addition to that integrity. 
Lastly, to be a cyber special agent we need high intelligence and technical talent. 

Those three buckets are fairly rare in nature. We will find people with great integrity, 
high intelligence, and technical skills that can't do a push-up. We will find people who 
have high integrity, who can do lots of push-ups, but don't have the technical talent to 
be a cyber agent. We're struggling with this and we're trying to have enough humility to 
realize that our world has changed and so the way we think about talent has to change 
as well. Among the things we're considering is, if we can get integrity and physicality, 
can we grow and teach our own? Can we have a cyber university inside the 
government? Or should we think differently about what makes up the cyber squad? 

Currently in the FBI, about eight special agents make up a cyber squad. Does it need to 
be that way? Do we need eight firearms in that cyber squad or can we make teams with 
a different mix of non-agent talent and agent talent? Now we are going to try all different 
kinds of things and be open to modification and to failure and to being wrong and then 
we're going to try again. That is what we're trying to do when I say focus. Better focus 



ourselves in a better way and try to focus ourselves on getting the right people inside 
the organization. 

The second thing we're trying to do is shrink the world in two different respects— 
internally and externally. We have to shrink the world inside the federal government so 
we are more effective and efficient. And we need to make sure we shrink the external 
world. You've heard a lot I think over the last two days about the new presidential policy 
directive. It clarifies the rules of the lanes in the road for those of us inside the 
government. That will shrink our world so we don't waste time figuring out who needs to 
do what, we're much more effective and we'll also reduce the confusion with our 
partners on the outside. 

We want to make it irrelevant who you call. You can call the great people of the Secret 
Service, you can call the great people of the FBI, you can call anybody about a cyber 
intrusion and we'll figure out who should do what. We'll figure it out now, and provide 
clear guidance much more quickly than we could before. 

As you heard, the DOJ will be the lead threat responder—not the only threat responder, 
but the lead threat responder working though the FBI and the NCIJTF. Then our 
responsibility will be to coordinate with others who might have something to bring to 
bear in responding to the threat. DFIS, with their considerable expertise, will take the 
lead in asset response. They will try to mitigate vulnerabilities and reduce impact. Then 
the Director of National Intelligence will be responsible for giving all of us intelligence 
support so we can see where the threat is coming from and what it might mean. 

Really this confirms the way that we've been acting, but it makes sure that it’s written 
down in ink so it doesn't matter who is the leader of group inside the government—the 
rules come last and our efficiency remains. We also know we have a shared 
responsibility inside the government and outside. As I said though, that’s not for you to 
worry about. You need to know only that you need to talk to us. That’s a problem I'm 
going to get back to in a second. 

The second way we're going to shrink the world is by forward-deploying more of our 
people. This is work that’s been underway since the last time I was here. We're putting 



more and more cyber agents and cyber analysts embedded in our overseas offices 
because although the cyber world seems based only on photons, those human 
relationships allow us to be faster than we would otherwise. You're going to see a lot 
more of that from the FBI. 

The third aspect of our strategy is to impose costs. We have to lock people up. We send 
a message that changes behavior as fingers head towards the keyboard. If we can't 
lock them up we've got to call them up through indictments, through sanctions, through 
public name and shame campaigns. 

Sometimes people say, isn't this shouting into the wind when you indict, say, Chinese 
actors for criminal theft? After a year-and-a-half my answer is, “No, it’s more than that.” 

It changes behavior; it sends a wind that changes behavior. There’s a Wanted poster all 
around the world with a face of a particular Chinese threat actor. That changes 
behavior. That person might have dreams of going abroad, might have dreams of 
traveling to visit their children. The fear of the long arm of the law makes a difference. 

We've tried to convince people that we have many flaws in the FBI, but we are dogged 
people. We just gave up on D.B. Cooper. He had to be 90 and he jumped out of an 
airplane before we were willing to do that. It’s the same reason we brought the 
indictment against the Iranian actors for the DDoS attacks in '12 and '13—to send a 
message of deterrence. 

Part of this has been a grappling towards a set of norms, especially with the Chinese, to 
have them understand something. Nation-states gather intelligence. Nation-states 
always have. We all do it. We'll try to stop you; you'll try to stop us. What nation-states 
cannot do is steal stuff to make money. That is outside of norms. 

We are making significant progress at having that framework be understood around the 
world. Whether through indictment or prosecution or sanction or publicity, we are 
working very hard to have people sitting on a keyboard feel us behind them. We need to 
get to a place where we can get to them as easily as they can get to us. 



Our fourth part of our strategy is that we've got to help our state and local partners. 
There’s only so much we in the federal government can get to and our state and local 
partners are overwhelmed with cyber crime reports of all kinds. People getting an e-mail 
from me, from my summer home in Nigeria, asking them to wire money to me in 
Nigeria. All kinds of fraud. The business e-mail scams, they've become a plague. Our 
state and local partners have to work through us, and if they're going to be effective we 
must help them though training and technology. 

The fifth part is the last part. That’s private sector collaboration. This is something we 
talked about last time I was here, so I'm not going to say a whole lot about this except 
one aspect in particular. 

The majority of our private sector partners do not turn to law enforcement when there is 
a system breach. That is a big problem. It is fine when they turn to one of the excellent 
private companies that provide attribution or remediation, but we have to get to a place 
where it’s routine for all of us to work together. For you to call us when there’s an 
intrusion and not just a private sector enterprise. 

We understand that your primary concern in the private sector is to get back to 
business, to get back to where you were. By we, I mean not just the government, but 
we, all of us, need to figure out who’s behind the attack. There may be on the surface a 
divergence of interest but our long-term interests are tightly aligned. Because if we don't 
find out who the actors are and impose costs on them, they will be back and they will 
victimize you and your industry again and again. 

What’s our strategy for getting you to talk to us more?lt’s us talking constantly. It’s us 
bugging you constantly to give us a try, to tell you that we've been doing this for years 
now, and we understand how to do this in a way that doesn't re-victimize someone 
who’s a victim, because that’s how we think of you. We do not think of private sector 
partners who have been victimized by cyber intrusion any differently than we do a victim 
of a violent crime, a victim of a stalking, a victim of an extortion. We will work like crazy 
to make sure you are not re-victimized. 



We can’t promise you—and we will not lie to you and promise you—that never ever 
ever will any of your company’s information be exposed publicly if we investigate. What 
we'll do is have constant conversations with you so you can understand exactly what 
might happen and what will happen so you can make an informed risk-benefit choice. 

This is about building trust over a long period of time. It actually reminds me of the effort 
we engaged in for a couple of decades to build trust between those with law 
enforcement responsibilities in the United States and those with intelligence 
responsibilities. Since the 1980s we've had a statute called the Classified Information 
Procedures Act, which was enacted to give clear rules of the road, as insurance to the 
intelligence community that in criminal prosecutions, intelligence equities would be 
protected. 

They never believed it. The people in the intelligence community were very, very 
skeptical that they could trust prosecutors and investigators with criminal authorities. We 
had to build that trust, case by case by case. 

One of the most important cases in building that trust was the East Africa bombings in 
August of 1998. In the wake of that bombing, the CIA was doing a lot of work in East 
Africa trying to figure out what happened, and so was the FBI. What we worked out was 
that when we went on a search, we would always have an FBI agent there. Nobody 
from the agency would ever have to testify. There would always be a set of FBI eyes 
that could testify. We would not burn them. We promised that. We kept that promise in a 
trial that happened here in the early part of 2001. 

That’s a single example but there’s a pile of examples to build that trust. Because the 
rules matter, but the way people act within that framework matters most of all. What 
you're going to see from the FBI is a whole lot of conversation where we will say to you, 
“What are your concerns? Let’s address your concerns.” 

We've been at this a long time. We understand your concerns about competitive 
advantage, we understand that you’re concerned about disrupting your operations, you 
have concerns about dealing with regulatory agencies, and you have concerns about 
liability. As a former general counsel, I know that very well. We have been and will 



continue to minimize disruptions, to minimize exposures for a victim. We will prove it to 
you. We're also working very hard to push, push, push information to you. 


The last thing I want to say about this is that we also understand it’s not about the 
breach anymore. This is why I think the FBI has something unique to bring to the table 
that people don't realize. As the breaches grow more sophisticated and more common, 
it’s now about not just the breach, it’s about HR concerns that follow the breach. It’s 
about supply chain concerns; it’s about damage to customers and operations. It’s even 
about radicalization. 

For the company that’s been breached, increasingly, just fixing the breach is like 
patching a tire with some of that nasty goop you spray into your tire. It'll get you to the 
gas station but it’s not sustainable for a long-term fix. The FBI brings to bear here as the 
lead agency for threat response a much fuller tool box that people may realize. 

We think of it as cyber-plus. Given the range of our responsibilities, it’s cyber plus 
terrorism, cyber plus counter intelligence, cyber plus criminal, cyber plus international. 
The bureau’s footprint is worldwide. We think that brings to the table assets and 
capabilities that match this understanding that it’s more than just a breach. We'll help 
you in ways that you may not fully understand. We hope you'll have that conversation to 
help us explain to you. 

What do I need you to do? Talk to us. Talk to us before there’s a breach. All of you who 
have headquarters buildings with significant subsidiary buildings, the fire department 
knows those buildings. Because you've done something smart: You’ve made sure that 
the fire department doesn't need to be figuring out how many floors you have, how 
many exits you have, where your standpipes are during a fire. They’ve come there, 
they've seen the layout, you haven't shown them anything secret, but they're able to 
operate in smoke and save lives in your building. I would urge you to do something 
similar when it comes to cyber. 

The Sony attack was awful. It could have been a lot worse. We had agents and analysts 
on site there within hours. We knew Sony because they'd taken the time to talk to us 
beforehand. We knew the people in their IT organization, we knew their CISO. We didn't 



know secrets from them. We don't need to know what your business model is, we don't 
need to know anything confidential, but it’s very, very smart for you who are CISOs to 
make sure you know who we are, so that like the fire department, we have a general 
sense of what help you might need in the event of a fire. 

I want to close by saying something about encryption because that issue has, for 
reasons I fully understand, dipped below public consciousness right now, which is fine. 
That’s a conversation we're going to have as a country, and just in front of a 
sophisticated audience I want to remind you of why. 

In this great country, our founders struck a bargain for us 240 years ago, and it goes like 
this: Your stuff is private. The Founding Fathers didn’t speak this way; they didn’t use 
words like “stuff.” I speak this way. Your stuff is private unless the government needs to 
see it, and with appropriate predication and appropriate oversight, the balance of this 
country, the balance of liberty is that the government gets to see your stuff, if they really 
need to, and with appropriate oversight. That’s a bargain tried among other places in 
the Fourth Amendment. No warrant shall issue except upon showing improbable cause, 
and no general warrants. That’s our bargain. 

We've lived with that for 240 years in ways we may not even fully focus on. No car, no 
apartment, no closet, no bank was off-limits from judicial authority operating under that 
framework. Judges even have the ability to force us to say what’s inside our heads, to 
force us to testify what we saw, what we heard, what we witnessed—again assuming 
that our other rights are respected. 

We're moving to a place where wide swaths of American life are absolutely private. Our 
devices are moving toward a place of absolute privacy and there’s something seductive 
about that. Even I, when I heard that, I said, "That sounds cool. No one can look at my 
stuff. No one can look at my pictures, no one can look at my notes, no one can look at 
my—I don't keep a diary, but if I did no one can see it.” 

Now remember the bargain we have struck. I'm not here to tell you what the answer is 
to resolve this problem but one thing we have to recognize is that moving to a place 
where huge swaths of American life are by default out of reach of judicial authority is a 



different way to live. We've never lived that way before and it destroys the balance that 
our founders struck and maybe that’s okay or maybe that’s terrible. That is not for the 
FBI to say. 

The FBI’s job is to tell the American people when the tools you're counting on us to use 
to protect you aren't working so much anymore. We need to shout from the rooftops but 
the FBI should not tell people what the answer is, nor should companies that make 
amazing equipment. They should not be telling the American people how to solve this 
problem. The American people should be figuring out how they want to be governed. 
That conversation has to be informed by an understanding of the cost of absolute 
privacy. 

I found very depressing, just depressing—and even more depressing—a letter that a 
group of technology companies, that technologists sent to the President last year, which 
laid down all the tremendous benefits of encryption and I agree. There are extraordinary 
benefits to encryption. I love encryption. What I found depressing about it is, I read the 
thing multiple times, and not a single recognition of the costs associated with 
widespread, ubiquitous, strong encryption. That meant to me one of two things. They 
either failed to see the costs, which is depressing, or they weren't being fair-minded 
about it, which for smart people in some ways is even more depressing. 

I think we have to have a conversation in this county about where we want to be and the 
FBI’s job is to be a factual input. A lot of people said, "Oh, you're crying wolf. You 
people have all kinds of great ways to find information." What we're doing, we're using 
this period of time when the issue is not so prominent in American life to collect the 
data. We will show anyone who wants to see the impact on our work. 

Just to give you one snapshot, our forensic examiners received 4,000 devices in the 
first six months of this fiscal year, which is October to March. Five hundred of them 
could not be opened by any means. That’s a fair number given the growth of ubiquitous, 
strong encryption both for data in motion, data at rest. It’s only going to grow. 

In those 500 are criminals who are getting away, victims who will not be rescued. 
Criminals who are actually getting away by getting themselves reduced sentences 



because we are not able to see the full extent of their criminal activity. And we believe 
that’s a problem. 


At some point, encryption is going to figure in a major event in this country. We've got to 
have the conversation before that happens because after that happens that time for 
reflection will be significantly reduced and this is a hard conversation. It’s a conflict of 
two values that we all share. It does not fit in a tweet. You can't shout it at each other. I 
very much hope that companies and private sector actors of all kinds and ordinary 
citizens and people of government will look for ways to have a productive conversation 
about this. 

Nobody has the high ground; nobody is a devil. In this conversation we all share the 
same values. We may weigh them differently but I know that Apple cares deeply about 
public safety and I know the FBI cares deeply about privacy and security on the 
Internet. I hope you'll join in that conversation, which means we will probably have to 
wait until after the election to have this space in American life to have that conversation, 
and that’s fine. We’ll continue collecting data so we can have that information before a 
conversation next year. 

To close with cyber, as I said we have to approach this with humility, with the 
recognition that we can't get ahead of all cyber threats, with humility enough to know 
that the way we think about recruiting, the way we think about technology, is surely 
going to change and with the humility to know that we at the government must have 
open minds. I hope together we can make a big difference to protect your world and the 
entire world. I thank you for caring enough about this to be here today. I look forward to 
our conversation. Thank you. 



